Re: BP role and BP type

Similar Messages

• Partner role and document type.

  Hi,
  how can I link partner role to document type?
  The problem is that for some documents type in POs creation
  is not possible see in partner view (header) any partner.
  The same happens in printing, I've to select the partner manually.
  The inforecord exists.
  How can I solve the above problem?
  Best regards

  Go to SPRO-MM-Purchaisng-Partner determination-Partner Settings in Purchasing Documents
  here u can do all the settings

• Urgent: User Roles assigned to Sales Orgs and document types

  Dear Guru's :
  I have job user roles one side and sales orgs on otherside. We are trying to find out which sales orgs are using what sales document types.
  All i am trying to achieve is connect those two and make a report. it needs to be done by SE16
  First step is :
  PFCG- Enter Role u2013Click glasses-Authorizations-Display Authorization data
  you need to identify the authorization objects for each T-code and then assign the appropriate values for each authorization object. these authorization objects assigned to a Role and then, allowed T-codes are assigned to Role and
  My Basis Person to Create one AUTHORIZATION OBJECT      V_VBAK_AAT  Sales Document: Authorization for Sales Document Types  and assign your required transaction codes to that authorization and assign them to the users.
  User IDs which can use this Role (set of authorizations) can be assigned to this role.
  Second step is achieved through SE16 ;
  Execute this two table :
  There is no one-shot for this However there is a way out for this outside SAP.
  You can download AGR_1251 and AGR_1252 for the selected roles and use MS Excel or Access to do this compare for you. Its a bit more tricky than said, however once you get a hang of it, I think its a good way of reducing the efforts of making use of individual compare reports.
  Any one knows how to do this i am kind of lost here.  Could you help me to organize this process / steps.
  Full points will be given to who helps me answer my question.
  Thank you in advance.

  Dear Raghu and all:
  I am very much thankful to you for your answer Raghu. This is exactley what i was looking for. Could you throw more light on this topic. Or do you know where can i get more info.or  more tcodes related to this topic. I am using SUIM and PFCG. I dont know much about this transactions. Could you please help me to understand this topic.
  I have Authorization object through which i found out which sales documents are attached to users. I dont know next step in this process. Or does any one know any thing about this subject.  Any help will be grateful.
  Van bills.

• Ui configuration at run time using role config key and object type

  Hi experts,
  Let me start by admitting that I am very new to the crm webui. I have a requirement in which I need to create a few z business roles and unique role config keys for them. And I have been given some requirements like below.
  - Access to Account, Service Request, Knowledge Article and FACT sheet data
  - Able to display all service requests.
  below is the processing logic that I have been told.
  Using the role config key, different view configurations would be created for respective components in
  the component workbench.
  Based on the business role, respective role config key would be picked up and the corresponding
  view would be displayed on UI.
  In addition to this, in the IMPL class of the component work bench, DO_CONFIG_DETERMINATION
  method could also be used to specify which role config should be picked up.
  Do they mean that using same role config key, I need to create more than one UI configuration? I was also told by some one that I need to create the configuration according to ui objects and sub object and then inside the  DO_CONFIG_DETERMINATION methode, I can check the role config key and hard code the ui object and the sub object. But I do not know how to create them.
  Could anyone tell me from where I can start and how to achieve this task?
  I apologize if my question is very basic.

  Do they mean that using same role config key, I need to create more than one UI configuration? I was also told by some one that I need to create the configuration according to ui objects and sub object and then inside the DO_CONFIG_DETERMINATION methode, I can check the role config key and hard code the ui object and the sub object. But I do not know how to create them.
  Could anyone tell me from where I can start and how to achieve this task?
  I apologize if my question is very basic.
  You can do the following
  a) Go to the view you want to create a new configuration.
  b) Choose 'Copy Configuration' .
  c) There you would be asked to enter the Role Config Keys , Object Name & Sub Object Name. You can choose your own names for Object Names & Sub Object Name.
  d) go to DO_CONFIG_DETERMINATION. There based on your logic you can load the configurations this way
          IF (your_condition) EQ abap_true.
            CALL METHOD me->set_config_keys
              EXPORTING
                iv_object_type          = 'your_object_type'
                iv_object_sub_type      = 'your_sub_obj_type'
                iv_propagate_2_children = abap_false.
  Regards
  Kavindra

• MDT 2013 Roles and features failing to install for server 2012 r2

  I am having issues trying to apply Server 2012r2 Roles and features via MDT 2013.
  Below I have attached the log.
  <![LOG[Microsoft Deployment Toolkit version: 6.2.5019.0]LOG]!><time="10:45:23.000+000" date="08-25-2014" component="ZTIOSRole" context="" type="1" thread="" file="ZTIOSRole">
  <![LOG[The task sequencer log is located at C:\Users\ADMINI~1\AppData\Local\Temp\SMSTSLog\SMSTS.LOG.  For task sequence failures, please consult this log.]LOG]!><time="10:45:23.000+000" date="08-25-2014" component="ZTIOSRole"
  context="" type="1" thread="" file="ZTIOSRole">
  <![LOG[Roles will be installed.]LOG]!><time="10:45:23.000+000" date="08-25-2014" component="ZTIOSRole" context="" type="1" thread="" file="ZTIOSRole">
  <![LOG[Roles specified in Role:]LOG]!><time="10:45:23.000+000" date="08-25-2014" component="ZTIOSRole" context="" type="1" thread="" file="ZTIOSRole">
  <![LOG[  FileAndStorage-Services]LOG]!><time="10:45:23.000+000" date="08-25-2014" component="ZTIOSRole" context="" type="1" thread="" file="ZTIOSRole">
  <![LOG[RoleServices specified in RoleService:]LOG]!><time="10:45:23.000+000" date="08-25-2014" component="ZTIOSRole" context="" type="1" thread="" file="ZTIOSRole">
  <![LOG[  File-Services]LOG]!><time="10:45:23.000+000" date="08-25-2014" component="ZTIOSRole" context="" type="1" thread="" file="ZTIOSRole">
  <![LOG[  Storage-Services]LOG]!><time="10:45:23.000+000" date="08-25-2014" component="ZTIOSRole" context="" type="1" thread="" file="ZTIOSRole">
  <![LOG[Features specified in Feature:]LOG]!><time="10:45:23.000+000" date="08-25-2014" component="ZTIOSRole" context="" type="1" thread="" file="ZTIOSRole">
  <![LOG[  NET-Framework-Features]LOG]!><time="10:45:23.000+000" date="08-25-2014" component="ZTIOSRole" context="" type="1" thread="" file="ZTIOSRole">
  <![LOG[  NET-Framework-Core]LOG]!><time="10:45:23.000+000" date="08-25-2014" component="ZTIOSRole" context="" type="1" thread="" file="ZTIOSRole">
  <![LOG[  NET-WCF-TCP-PortSharing45]LOG]!><time="10:45:23.000+000" date="08-25-2014" component="ZTIOSRole" context="" type="1" thread="" file="ZTIOSRole">
  <![LOG[  InkAndHandwritingServices]LOG]!><time="10:45:23.000+000" date="08-25-2014" component="ZTIOSRole" context="" type="1" thread="" file="ZTIOSRole">
  <![LOG[  Server-Media-Foundation]LOG]!><time="10:45:23.000+000" date="08-25-2014" component="ZTIOSRole" context="" type="1" thread="" file="ZTIOSRole">
  <![LOG[  RDC]LOG]!><time="10:45:23.000+000" date="08-25-2014" component="ZTIOSRole" context="" type="1" thread="" file="ZTIOSRole">
  <![LOG[  SNMP-Service]LOG]!><time="10:45:23.000+000" date="08-25-2014" component="ZTIOSRole" context="" type="1" thread="" file="ZTIOSRole">
  <![LOG[  SNMP-WMI-Provider]LOG]!><time="10:45:23.000+000" date="08-25-2014" component="ZTIOSRole" context="" type="1" thread="" file="ZTIOSRole">
  <![LOG[  Telnet-Client]LOG]!><time="10:45:23.000+000" date="08-25-2014" component="ZTIOSRole" context="" type="1" thread="" file="ZTIOSRole">
  <![LOG[  User-Interfaces-Infra]LOG]!><time="10:45:23.000+000" date="08-25-2014" component="ZTIOSRole" context="" type="1" thread="" file="ZTIOSRole">
  <![LOG[  Server-Gui-Mgmt-Infra]LOG]!><time="10:45:23.000+000" date="08-25-2014" component="ZTIOSRole" context="" type="1" thread="" file="ZTIOSRole">
  <![LOG[  Desktop-Experience]LOG]!><time="10:45:23.000+000" date="08-25-2014" component="ZTIOSRole" context="" type="1" thread="" file="ZTIOSRole">
  <![LOG[  Server-Gui-Shell]LOG]!><time="10:45:23.000+000" date="08-25-2014" component="ZTIOSRole" context="" type="1" thread="" file="ZTIOSRole">
  <![LOG[  PowerShellRoot]LOG]!><time="10:45:23.000+000" date="08-25-2014" component="ZTIOSRole" context="" type="1" thread="" file="ZTIOSRole">
  <![LOG[  PowerShell]LOG]!><time="10:45:23.000+000" date="08-25-2014" component="ZTIOSRole" context="" type="1" thread="" file="ZTIOSRole">
  <![LOG[  PowerShell-V2]LOG]!><time="10:45:23.000+000" date="08-25-2014" component="ZTIOSRole" context="" type="1" thread="" file="ZTIOSRole">
  <![LOG[No items were specified in variable OptionalOSRoles.]LOG]!><time="10:45:23.000+000" date="08-25-2014" component="ZTIOSRole" context="" type="1" thread="" file="ZTIOSRole">
  <![LOG[No items were specified in variable OptionalOSRoleServices.]LOG]!><time="10:45:23.000+000" date="08-25-2014" component="ZTIOSRole" context="" type="1" thread="" file="ZTIOSRole">
  <![LOG[No items were specified in variable OptionalOSFeatures.]LOG]!><time="10:45:23.000+000" date="08-25-2014" component="ZTIOSRole" context="" type="1" thread="" file="ZTIOSRole">
  <![LOG[ZTI Heartbeat: Processing roles (0% complete]LOG]!><time="10:45:23.000+000" date="08-25-2014" component="ZTIOSRole" context="" type="1" thread="" file="ZTIOSRole">
  <![LOG[Property Parameters is now = -FeatureName FileAndStorage-Services]LOG]!><time="10:45:23.000+000" date="08-25-2014" component="ZTIOSRole" context="" type="1" thread="" file="ZTIOSRole">
  <![LOG[Validating connection to \\WIN-7VSNJRF3PNO\DeploymentShare$\Operating Systems\Windows Server 2012 R2 SERVERSTANDARDCORE x64]LOG]!><time="10:45:23.000+000" date="08-25-2014" component="ZTIOSRole" context=""
  type="1" thread="" file="ZTIOSRole">
  <![LOG[Mapping server share: \\WIN-7VSNJRF3PNO\DeploymentShare$]LOG]!><time="10:45:24.000+000" date="08-25-2014" component="ZTIOSRole" context="" type="1" thread="" file="ZTIOSRole">
  <![LOG[Already connected to server WIN-7VSNJRF3PNO as that is where this script is running from.]LOG]!><time="10:45:24.000+000" date="08-25-2014" component="ZTIOSRole" context="" type="1" thread=""
  file="ZTIOSRole">
  <![LOG[Copying source files locally from \\WIN-7VSNJRF3PNO\DeploymentShare$\Operating Systems\Windows Server 2012 R2 SERVERSTANDARDCORE x64\sources\sxs]LOG]!><time="10:45:24.000+000" date="08-25-2014" component="ZTIOSRole"
  context="" type="1" thread="" file="ZTIOSRole">
  <![LOG[ZTI ERROR - Unhandled error returned by ZTIOSRole: Path not found (76)]LOG]!><time="10:45:27.000+000" date="08-25-2014" component="ZTIOSRole" context="" type="3" thread="" file="ZTIOSRole">

  I have narrowed this issue down to .net 3.5 install.
  I have boot, efi, sources, support, autorun, bootmgr, bootmgr.edi, and setup.
  I have confirmed that the sxs folder is there. 
  I also just added WindowsSource=%DeployRoot%\Operating Systems\Windows Server 2012 R2 SERVERSTANDARDCORE x64\sources\sxs to my customsettings and updated the boot iso.  I am still receiving the errors.  
  One last bit of information I am able to get to the deployment share with the sxs folder in it from the reference machine I am creating but when I manually try to install .net 3.5 from roles and features to the share it fails. But if I copy the files local
  they work fine.
  I seem to have permission issues with other subfolders also.
  Thanks,
  Anthony

• How to do Enhancements in Reporting & What is Role and How to create Roles

  Hi All,
  Can any one tell How to do Enhancements in Reporting, and also What is Role and How to create Roles in Reporting?
  Plz reply back me on [email protected]
  Regards,
  Kiran

  Reporting Enhancement - RSR00001 - BW: Enhancements for global variables in reporting
  And using the SAP Exit - EXIT_SAPLRRS0_001
  RSR00001- With this enhancement to global variables in reporting you have the option of determining your default values for variables. You can use this enhancement for variables, for which 'Processing by Customer-Exit' has been selected in the variable maintenance. This is valid for all variable types (characteristic value, node, hierarchy, formula and text variables). You use the Exit EXIT_SAPLRRS0_001 for this.
  The Enhancement component (RSR00001) must be assigned to a Project Created using the Transaction CMOD. On activating the Project, the Exit would become active and in turn the logic written inside the Exit.
  To ensure that the data warehousing soultion reflects your company's structure and business needs it is critical that you establish who is authorized to access the data.With SAP BW, Authorizations can be defined and maintained by object and can also be applied to hierarchies and these authorizations can be inserted into roles that are used to determine what type of content is available to specific users or user groups.
  T-code for Role maintainence -PFCG.
  Please assign points if it is useful.
  Regards
  Pavan Prakhya

• Error in reconcilation Function - Job "Reconcile roles and privileges"

  SAP NW 7.0 SP2 Patch 3
  Roles contain Privileges
  Help file says: "If you are using roles and privileges, you will need to perform a reconciliation of the roles/privileges assigned to the users in the identity store after the roles are modified. "
  Job imported as described.
  When I let the job run on the ID-Store, for each entry, the following error message occurs:
  runFunctionsInString($FUNCTION.reconcile( MSKEY )$$) got exception
  org.mozilla.javascript.NotAFunctionException: reconcile( MSKEY )
  ...where MSKEY is, of course, the MSKEY of the entry.
  If I let run the job with the Windows-Dispatcher and as a VB-script, it produces no error; however, in the output file, there are a lot of Messages like
  "!ERROR: Invalid use of Null"
  Only some entries (of Type MX_PERSON) show the "Priviliege added: (...)" output. But the job does not add the Privileges assigend to the role, as it should.
  So, I would suggest that one redefines the SQL-Query of the Job so that it runs only on MX_PERSONS. But then, still, in my case, it does nothing.
  Has anyone better experiences with the Job?
  Edited by: Thomas P. Felder on Sep 25, 2008 10:32 AM

  The job when imported by default uses java runtime engine but the script is written in vbscript syntax so you have to change the engine or the script syntax.
  When you did your select statement did you use SELECT DISTINCT.  That will also cause errors.  I do not narrow the entry type to MX_PERSON.
  I'm installing the patch now;  I will see if I get any errors.

• What is the difference between partner function and partner type

  Hi Gurus,
  What is the difference between partner function and partner type?
  Thanks,
  Paul

  Hi John,
  The partner types allow us to distinguish between different business partners such as customer, vendor, employee etc and the partner functions represent the functionality or role each partner plays within the business transaction.
  For example under the partner type Customer, you will find - Sold to party, Ship to party, Bill to party, Payer.
  The business partners that exist in the market place are represented with a partner type in the R/3 system. Examples of business partners are customer, vendor, employee and contact person.
  The following partner types are defined in the partner processing for the sales & distribution module –
  a.     AP – contact person (06)
  b.     KU – customer (07)
  c.     LI – vendor (08)
  d.     PE – employee/personnel (09)
  Assigning the partner functions in the SAP system determines the functions of particular partner in the sales process. One partner may take on several functions also.
  REWARD POINTS IF HELPFUL
  Regards
  Sai

• Associate roles and permissions to users that existe on a database

  Hi,
  i want realise a secure authentification i used ADF Configuration but i found out that i cant bring my users from my database. i can just create new users with roles in Jdeveloper.
  do you how we can bring users to Jdeveloper and associate to them roles and permission ?

  i found this tutorial that is that what i did :
  1. Start up weblogic server (Run .. Start Server Instance)
  2. Log on to weblogic console ( http://localhost:7101/console/ )
  3. Use default username/password weblogic/weblogic1
  4. Create a datasource to connect to the schema where the authenticating database tables are (Services .. JDBC .. Data Sources)
  5. Use unique name for datasource. Use JINDI name of jdbc/
  6. Enter database name, schema name and password and test
  7. Add new Authentication provider (Security Realms .. myrealm .. Providers .. New)
  8. Enter datasource name, type SQLAuthenticator click Ok
  9. Going back into provider, change control flag to Sufficient
  10. Select Provider Specific tab and choose Plaintext passwords, password algorithm SHA-1
  11. Shut down weblogic
  12. Edit config.xml file in JDEV_DIR/system11.1.1.2.36.55.36/DefaultDomain/config and replace sql authenticator sql statements with those from web blog
  13. Restart weblogic.
  14. Go to users/groups tab in securty realm and view users and groups imported from database
  15. Set control flag for other providers to "Sufficient"
  source : http://brent.hmdclinical.com/2010/03/using-database-tables-as-weblogic.html
  but the step 12 i dont know what i need to change and with what ?

• APO roles and auth objects

  Hello all,
  Can someone tell me the most common used Tcodes, roles and auth objects in SAP APO - DP and APO-SNP security
  thanks

  I was going to type them out but luckily for me found this link to the DP & SNP auth objects - the info there is as detailed as anything else I have seen
  http://help.sap.com/saphelp_scm50/helpdata/en/21/f6253b90e48743e10000000a11402f/content.htm
  There is a list of useful APO transactions here
  http://help.sap.com/bp_scmv241/documentation/SCM_AIO_BP_Function_List.xls
  I can't help with the standard roles as I build my own.

• Asynchr Calls: Partner Role and My Role must be filled in Partner Link dial

  Asynchr Calls: Partner Role and My Role must be filled in Partner Link dialog ?
  Is the statement true?
  Can I leave for synchronous calls one of the role spec vacant?
  AFAIK only in asynchronous calls both drop down values must be specified.
  Peter

  Thanks for fast reply,
  Yes, I defined Partner Role and My Role,and also defined a port type for calling back the request.
  I just don't know what's the endpoint address which my asynch web service should use to response to my BPEL process.
  Is there anyway to find out what's the endpoint address which the BPEL processes receive the callback response from asynchronous services?
  Can I get the address which BPEL engine uses to get the responsse from a called web service?
  I guess it should be an obvious work but I'm really disappointed with that.

• When to use "my role" and "partner role" in BPEL?

  I'm a bit confused when to set/use partner role and my role.
  Can anyone shed a little light,
  regards, Henrik

  Saurabh,
  > I humbly disagree with your explanation of inputs
  No need to be humble, you can boldy disagree. :)
  You're right that I did technically use the wrong term in that sentence of my explanation. I updated the post and corrected it. However the gist of what I was saying is still true.
  There are two invocation types. People use different terms but here I'll call them request-response and one-way. A request-response invocation type is used for what we typically think of as a "synchronous" process. That is, the service consumer is blocked until the service responds. It's like methodA() in Java calling methodB(). methodA() is blocked until methodB() completes. (In fact, this is exactly what it's like since all invocations on our BPEL engine ultimately go through our Java API.)
  In the case of one-way, the service consumer is not blocked. This is often referred to as fire-and-forget. It simply sends its request, then it is free to continue or do whatever it wants. Moreover, nothing is returned to the client (you fired-and-forgot, remember). Typical "asynchronous" BPEL processes uses this invocation type.
  So we have those two invocation types. Yet the problem before us how to have an asynchronous process return a result. You can't use request-response because the service consumer is blocked until the process finishes. You can't just use a one-way because nothing is returned to the caller. What to do?
  The way the BPEL standard solved the problem is to use two one-way invocation types. The first one is to invoke the process. The second one is a one-way from the BPEL process to the service consumer to return the result. There are some glaring implications of this:
  1. When the BPEL process returns it's result, things have now switched: The BPEL process becomes the service consumer, and the (original) service consumer becomes the service.
  2. The service consumer has to be able to listen for one-way invocation type requests.
  3. The BPEL process has to know how and where to call the service consumer back. This information is passed in the original request. As well as containing the data payload, it contains a callback address and unique identifier. This, in essence, is what the WS-Addressing standard is about.
  Now the definition of a one-way invocation type in a WSDL is:
      <portType name="aaa">
          <operation name="bbb">
              <input message="tns:ccc"/>
          </operation>
      </portType>Compare that to a request-response invocation type:
      <portType name="aaa">
          <operation name="bbb">
              <input message="tns:ccc"/>
              <output message="tns:ddd"/>
          </operation>
      </portType>Let's look again out our example WSDL:
      <portType name="SelectService">
          <operation name="processRequestQuote">
              <input message="tns:RequestQuote_processRequestQuote"/>
          </operation>
      </portType>
      <portType name="SelectServiceCallback">
          <operation name="processRequestQuoteResponse">
              <input message="tns:RequestQuote_processRequestQuoteResponse"/>
          </operation>
      </portType>Here comes the good bit... Both portTypes have an <input> operation. But that's because they are both one-way invocation types, and there is no choice but use the <input> element -- that's the standard. You can't imply put <output> because there's no such thing in the standard. However we know that one of those is to actually return the result. That is, it's the output, even though it's labelled <input>.
  Hopefully that's given you enough information now. Re-read my first post, above, and it should make more sense.
  Incidentally, this is why you rarely see try asynchronous web services, because the caller has to also be a listener. And if you want to call a service, who wants to also have to write code to listen, to handle responses coming out of order, etc. This is one of the advantages of using an orchestration engine like Oracle BPEL Process Manager. The framework takes care of the hard work, and you can simply call an aysnchronous service and not have to worry about how to get the response back -- the engine does it for you.
  Regards,
  Robin.

• Want to know more about class and class type and characters in batch determ

  hi ,
  i want to know abt class functionality and how it is related to batch mgt,means functions of class type , characters etc.
  ok thanks

  Hi ,
  Find the Class and Class Type for Batch Determination.
  Create Class for Batch Management
  Use
  In this step, you define two classes for use with batches. One class contains the characteristic LOBM_VFDAT: Expiration Date, and the other class with three characteristics:
  LOBM_RL: Remaining shelf life for batch,
  LOBM_LFDAT Batch determination delivery date, and
  LOBM_VFDAT Expiration date, shelf life.
  Procedure1.
  Access the activity using one of the following navigation options:
  Transaction Code: CL02SAP R/3 Role Menu     Installation ® Create Class for Batch Management
  2.Choose Create and maintain the necessary master data manually. The relevant data can be found in the file:
    Class     Class type     Description     Characteristic        Characteristic     Characteristic
  023_001     023     Products with Expiration Date     LOBM_VFDAT     
  023_002     023     Search class with expiration date     LOBM_RLZ     LOBM_LFDAT     LOBM_VFDAT
  Result
  The materials are later assigned to class 023_001 in the material masters. 023_002 is used in the batch determination search strategies for SD and PP/PI. 
  Regards,
  SAROSH

• Authorisation group and document type

  Dear Experts
  I want our users who are using transaction F.14 to be able to process document type ZF only. I have created a role and in the authorisation object F_BKPF_BLA
  i can see field authorisation group and activity. What value i should put in the authorizatuion group object which will allow me to restrict users to work in document type ZF only
  <removed_by_moderator>
  Edited by: Julius Bussche on Apr 30, 2008 4:53 PM

  Hi All,
  Didnt know whether to start a new post or continue this one.  Basically I have the same problem but I seem to be missing something fundamental (and I think it must be obvious!).
  Dev Team:-
  1) New transaction code created ZF10 by which amongst other things should only process the newly created document type ZF.
  Myself (Security Team):-
  1) All of our document types are defined in OBA7. 
  2) The specific document type is ZF that we want to restrict access to.
  3) In V_TBRG I have defined the custom authorisation group ZDTF against object F_BKPF_BLA.
  4) In SU24 I have defined against the custom transaction code ZF10 the authorisation object F_BKPF_BLA to be inserted with Activity values 01, 02, 03; and Authorisation Group ZDTF.
  5) Create new role and add ZF10 which then populates the auth object and values above.
  What I cant see / understand is how the document type is then restricted to ZF in the role as it isnt defined anywhere that the authorisation group ZDTF only allows access to document type ZF.
  Any help on this will be greatly appreciated.  PS Should I have created a new thread for this ?
  Cheers
  Steve

• Implementing roles and rules based authorisation with Azure AD

  Hi all,
  I would greatly appreciate some input on feasibility and patterns I should look at for a complex technical requirement that I am currently tasked with designing.
  We have a system that comprises a web and mobile app. In the past we have implemented session based authentication through ADAM and authorisation through custom business rules contained within the applications. The authentication mechanism is in the process
  of being migrated to Azure AD and authorisation is planned to be moved to Azure AD for our next release.
  Existing authorisation within our web application is already complex. We have users that belong to different groups with a range of permissions such as read, write or admin. Additionally each user is granted access to N customers and also N locations within
  each customer. We have a requirement that any number of combinations of customers and locations be supported. Users also need to have different permissions for each entity, i.e. read access to customer 1 location 2, write access to customer 4 and administer
  customer 7. Currently these privileges are maintained within a relational database and enforced as part of each PageLoad(). Essentially this is a combination of roles and rules based authorisation.
  We are struggling to represent this complex matrix structure within Azure AD and efficiently implement the authorisation decision in Azure AD. The driver for this technical requirement is to provide re-usability of the authorisation component to other (as
  yet unidentified) applications.
  Currently the best option we have come up with is implementing custom attributes for each class of permissions and storing within this 2048 bit field a bitmask that represents whether this permission is granted for a given location (which has a many to one
  relationship with customer).
  Any help or comment would be gratefully received,
  Phil

  Hi
  When "Advance routing" is used for Task assignment; the task service asserts the folllowing fact types : Task, PreviousOutcome and TaskAction to the rules engine. These facts gives all the reqd info about the task (like outcome of the participant, task stage .. etc)
  Now in the defined ruleset; we can have rules as per our requirement that can extract info from the asserted fact types and assign task to the required/next participant.
  Also note that we write the advance rules for exception cases only.
  For example; let's say all participants have 2 possible Outcomes [COMPLETE, RECHECK]. We have defined the ideal task routing flow as :
  Participant A -> Participant B -> Participant C. This is the flow when all participant selects "COMPLETE"
  Now suppose B selects outcome as "RECHECK" then the task shld move back to A. So for this case only we need to write a advance rule.
  Pls refer to the code sample at : http://download.oracle.com/technology/sample_code/hwf/workflow-106-IterativeDesign.zip
  Also dev guide : refer to section 28.3.7.2 http://download.oracle.com/docs/cd/E14571_01/integration.1111/e10224/bp_hwfmodel.htm#BABBFEJJ
  Thanks
  Edited by: Kania on May 19, 2010 2:41 AM